Malicious PDF — malware analysis report

Static analysis result for SHA-256 786329dd7b8f537e…

MALICIOUS

PDF

75.9 KB Created: 2021-05-03 08:41:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ded7b288ab49f907ca31762aea7cbc20 SHA-1: d0d5d5a9166b532b9c8819251db7815974b4b09b SHA-256: 786329dd7b8f537efeb8dd6bba73245d513a2bf8bf0be76033d914ca56dbef03
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating maliciousness. The presence of a large number of external links, including a link farm, suggests an attempt to redirect users to malicious content or phishing sites. The document body, though truncated, contains metadata indicating it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, which could be leveraged for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=can+i+take+a+nap+wearing+contact+lenses
    • http://xawamiwupajev.mygamesonline.org/288289439.pdf
    • http://retamos.mygamesonline.org/programa_para_calcular_integrales_definidas_online.pdf
    • http://saduzemed.mypressonline.com/emotional_intelligence_appraisal.pdf
    • http://rinetiwirejux.iblogger.org/on_writing_stephen_king_rhetorical_analysis.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xebuvuwov/93424116923.pdf
    • https://83d7d1d1-3661-4158-a2cc-78aa4aa39d08.filesusr.com/ugd/163759_af9c78baec854734ac2ac3ce99d0a8db.pdf?index=true
    • https://s3.amazonaws.com/lukepepe/72931576582.pdf
    • https://3633ae4e-9acc-45df-885e-1bfa1481cb44.filesusr.com/ugd/e73054_0cc0ef6f9147457f9dfd327e51a9b537.pdf?index=true
    • https://35e1cc1d-5f6c-4a41-9b1b-b9ae8dddc97a.filesusr.com/ugd/351eee_4e9d957e80f74f148dfc743f09ec78fa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9d0677c2-4d8d-4c5a-94e2-c2a181e08c06/pride_and_prejudice_2005_full_movie_netflix.pdf
    • https://d9e21584-559d-470c-b0e9-829a80f361fa.filesusr.com/ugd/989f82_d7129617ead441e38eaca230c8a8c6e1.pdf?index=true
    • https://94ac7338-8c66-48ed-b7e4-01cccba3eff0.filesusr.com/ugd/9b8421_07da47de8323430c8bf16df67743ccf7.pdf?index=true
    • https://s3.amazonaws.com/remeranexe/90854110970.pdf
    • http://zejenideve.rf.gd/90778279080.pdf
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_6bc136c524db483dba2ca6d43fa9da45.pdf?index=true
    • http://lanekozelibafu.rf.gd/fonudisi.pdf
    • https://bd7a0a6f-bbfd-49cc-ba41-c3f2778102d9.filesusr.com/ugd/9ea91e_56557e502190410b871589a92ec4f297.pdf?index=true
    • https://14da0a27-f261-4d4b-8668-3a369f5c966d.filesusr.com/ugd/46429b_d2670d5d0c0449ff8c350f0f27c2ffb8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b4abfbe4-0db0-41f4-a77e-feab39b702b9/projective_geometry_in_art.pdf
    • http://xujamaxopubisa.rf.gd/what_are_the_4_quadrants_of_operant_conditioning.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed57.bin
dd4a31877ff908c3dce425dbfca27e6840f7cc7b81dbae3e94fb6c56b41e0e0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED57 5164 bytes
font_01_sfnt_off0000ff0e.bin
1061114bba78753c1388a5cdcbddacc6e7c9f3cb71cccaa85e72bd756e6f9fcb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF0E 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.